By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

on your network or perimeter DMZ, then sit back and wait for hits on the system. Since there's no valid business purpose for access, the honeypot system will reliably indicate hacker attempts or suspect activity. Technically astute staffers, system maintenance and a sound policy defense are required investments, yet for some organizations honeypots provide a cost-effective, proactive security layer for sensitive information systems.

Honeypots entice intruders to focus on faux computer systems, while documenting an evidence trail. The systems replicate vulnerable servers and workstations. Depending upon the product and the amount of customization performed, a honeypot can appear to run susceptible applications and contain valuable intellectual property. The assumption is that the hackers will focus their efforts on the information and systems, and allow the security personnel to study their efforts.

The value of a honeypot placed behind a firewall, or in another protected network location, is its ability to filter out which attacks truly need investigating. Unauthorized access attempts, from within and outside an organization pound networked systems daily. In fact, individual IP addresses are scanned 3-5 times a day given the abundant broadband connections, widely available scanning tools and thousands of script kiddies. All this translates into an inordinate amount of intrusion noise. While intrusion-detection systems can identify suspect traffic patterns, they also create false positive alerts (and, even worse, false negatives). Where as, honeypots, while subject to false positives, incur bogus results less frequently (typically from mistyped IP addresses and system names or IT's use of network scanning tools for finding vulnerabilities).

More importantly, the suspect activity identified on a honeypot system can hone an organization's threat reconnaissance. It enables security pros to refine their searches for new attacks, and potentially assess the skill and intent of the attacker. A honeypot system acts as an early warning system -- it identifies an attack in progress, highlights the methods the attacker is using and reveals what the perpetrator is looking for.

From a technological perspective, honeypots have little downside. But there's more to consider than technology, such as the technical ability and available time of your administration and security staffs. Giving an overworked staff more tasks to do won't generally improve an organization's security. And, if the staff isn't technically competent to understand, implement, maintain and act on the information attained in using the honeypot system it will have minimal effect on improving security. However, it's a great tool for staffs that adequately maintain their own systems, and individual departments that work on highly sensitive information or maintain a large number of computer systems. In general, random departments within a company should leave honeypots to the corporate security staff.

There are potential legal arguments as well, which are sometimes used by intruders snagged by honeypots: Some argue that the honeypot was an "attractive nuisance" or its use amounts to entrapment. While such arguments could be ignored, they've been commonly raised as a defense. As long as your company has the appropriate computer usage policies for insiders, and the standard warnings for outsiders, you shouldn't have a problem.

About the author Ira Winkler, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy